so many print statements

look at ratelimit kitsune's recaptcha changes in more detail, compare to how I did it.

can log in with correct password and username even when recaptcha is entered incorrectly.

Safe is considered harmful?

This standard

Following the PEP 8 guideline.

when not logged in, trying to click on "@login_required", e.g. msw index for now, gets bad url with "?next=": "http://10.250.3.248:8000/en-US/msw/templates/?next=/en-US/msw/"

TODO:

• read about Access control
• read about Django decorators

ACCESS CONTROL
    Presentation, Business, Data Layer Access Control
        Presentation and Data layers use decorators
        Read about presentation layer protection 
    (Possible) Two tier design for admin account separation
        The picture of separate control of changing passwords 

DONE:

• met with Michael to talk about what to do for Access Control

• 47 CSP recaptcha all solved!

• watched http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws

Even when they don't have set in settings.py: 'CSP_OPTIONS = ("eval-script",)'

problem seen on Firebug:

        call to setInterval blocked by CSP            recaptcha.js (line 23)

Because setInterval() is blocked by CSP.

Put 10 passwords on page to show people that they should not use common passwords.

Have a user friendly way of telling people to pick better passwords if they picked a common password

TODO:

• 24 start to separate richtext and url

• Wait for Brandon's advice. #40/#41 get recaptacha into csp

• 7 HTTP Only fix

• 16 SQL injection can't include script

DONE:

In firebug

        CSP: Directive "inline script base restriction" violated
        Recaptcha.widget = Recaptcha.$("recaptch...

I saw the same bug and they fixed it by updating jQuery to 1.5. Well I updated it to 1.6.2 and it's still not working!

(also check out #40)

just discovered.

set_cookie_httponly/demo/

Even if I set SESSION_COOKIE_HTTPONLY = False it still doesn't show up! (setting it back to true for now)

• playdoh's docs
• webdev docs
  -- Especially code review

big one

also do #18 change 79 columns

And follow other JS guidelines

Warnings from firebug:

CSP: Directive "inline script base restriction" violated
onclick attribute on A element

CSP: Directive "object-src 'none'" violated by https://www.google.com/recaptcha/api//img/audiocaptcha.swf?v2

Gotta fix some onclicks ... bsterne suggested:
"add an id and then from external script say document.getElementById(your_id).onclick = your_function"
I also have http://curioushq.blogspot.com/2011/07/when-you-cant-onclick.html

possibly looking at kitsune's ratelimit new changes and see how they do recaptcha

TODO:

• ask Michael what to do with CSP
  --> allow eval for setInterval?
  --> allow inline?
  --> make our own to get around setInterval?
  --> make our own to get around in-body script?

• start on Access Control

  ACCESS CONTROL
  Presentation, Business, Data Layer Access Control
      Presentation and Data layers use decorators
      Read about presentation layer protection 
  (Possible) Two tier design for admin account separation
      The picture of separate control of changing passwords 
  

• 24 start to separate richtext and url

• 7 HTTP Only fix

• 16 SQL injection can't include script

DONE:

• solved #45 --> learned about CSP_REPORT_ONLY
• made CSP image appear by bypassing in-body script and setInterval
• opened #47, CSP audio doesn't work

• changed sessions.backends.cached_db to the regular db
• read about Django sessions, authentication
• blog the settings bug

TODO:

• #24 start to separate richtext and url

Done:

• fixed #37
• 13:16 - 14:18 finished CSP demo.
• 14:18 --15:26 ice cream
• 15:26 -- 15:57 email
• 16:00 - 17:00 nap

• 20, #38, learned to put js right before body closes, learned that CSP blocks out iframes and HTML events as well. had to change all the onclicks()

TODO:

• Start Reading CSP

DONE:

• Webdev
  ---- 11am meeting
  -------- #6 separate the demos --> get a person to help. No need
  -------- ask about #9 multiple HMAC keys
• Repaptcha / Authentication
  ---- #5 blogged about how I did recaptcha
  ---- #28 Password Policy
  ---- #25 login recaptcha inconsistent
  ---- #32 add in blacklisted passwords
  ---- #30 test multiple IPs
  ---- Jsocol
  -------- #14 see how kitsune did its recaptcha
  -------- Ask what problem he has had with recaptcha

• SESSION_SET_HTTPONLY to true? --> it will affect the httponly demo
• SESSION_COOKIE_DOMAIN

only private data in settings_local

Django docs say:

validation of a Form is split into several steps ...

• validate()
• clean()
• clean_()
  

Can't find these things in source code:

# src/django/django/forms/forms.py

    def clean(self):
        """ 
        Hook for doing any extra form-wide cleaning after Field.clean() been
        called on every field. Any ValidationError raised by this method will
        not be associated with a particular field; it will have a special-case
        association with the field named '__all__'.
        """
        return self.cleaned_data

What does that mean? where does it check all the bullets?

• #1 separated settings.py and settings_local.py
• #15 Read webdev and playdoh docs

• 6 separate the demos --> email webdev

• Repaptcha
  -- #14 see how kitsune did its recaptcha
  -- #4 add recaptcha to login
  -- #5 blog about how I did recaptcha

TODO:

• 40/#41 get recaptacha into csp

• 24 start to separate richtext and url

• 7 HTTP Only fix

• 16 SQL injection can't include script

OTHERS:

• practice d
• watch my d
• practice again
• watch again

DONE:

• 09:00 - 10:00 Infrasec Meeting
• narrowed down #41to CSP policy issue, since the JS is already externalized.